TLS encryption not working for users connecting to FTP server. No access to private key.

The ACF2 keyring where the various certificates reside has a default certificate.
When a file transfer is initiated from the mainframe to the FTP secure server,
the default certificate is read with its private key, even if the default certificate is not required
when performing a handshake with an external server.
In cases where the logonid performing the transfer is ‘NON-CNCL’, the user performs the read of the private key without any issue.

Release : 16.0

Component : CA ACF2 for z/OS

To resolve this problem, create a keyring where only the root and intermediate signing certificates
of the server certificate are added.
In this case, no default user certificate is involved and the handshake to the external server can be accomplished.

The reason that NON-CNCL would allow access to keyring and certificate private key is because
NON-CNCL would allow access to the RDATALIB class resource ring_owner.ringname.LST.

Configure Key Rings and Certificates for TLS Applications